Achieving digital sovereignty: concrete steps for cloud, data, software, and AI

11 min read
July 15, 2026

Digital sovereignty isn’t a state you reach once and check off.

It’s the result of concrete decisions on cloud architecture, data management, software design, and AI use, decisions you keep making again and again.

I run DECODE’s German office in Düsseldorf. In our projects, I regularly see companies wanting to move from risk analysis to implementation, and getting stuck there because they don’t know where to start.

I described what digital sovereignty means and why it’s become relevant for German mid-market companies in an earlier article: Digital sovereignty for mid-market companies: why it matters now

This article goes a step further.

It’s no longer about the why, but the how: which steps across cloud, data, architecture, and AI actually create independence, and in what order to tackle them.

Key takeaways

Digital sovereignty in practice means implementing concrete measures across cloud, data, architecture, and AI, not just understanding the risks.

Four levers create real independence: cloud strategy (sovereign, hybrid, or public cloud with an exit plan), data governance (clear roles, SCCs as a fallback), software architecture (anti-corruption layers, modular systems), and AI sovereignty (control over training data and ownership structure).

The market is exploding in 2026: European sovereign cloud spending is set to reach $12.6 billion (+83%), and AWS alone has invested €7.8 billion in its own EU-only cloud region.

A European label isn’t a guarantee: Aleph Alpha’s planned merger with Canada’s Cohere shows that ownership structure and governance matter just as much as location.ealistic, because too much proprietary technology is built in.

Digital sovereignty: why 2026 is different

2026 is the year digital sovereignty moves from PowerPoint slides into the system architecture.

The market now offers real options. Gartner expects European sovereign cloud IaaS spending to reach $12.6 billion in 2026, an increase of 83 percent over 2025, and to nearly double that to $23.1 billion in 2027.

At the same time, the legal picture is getting more complicated.

On June 29, 2026, the US Supreme Court ruled in Trump v. Slaughter that the independence of the Federal Trade Commission (FTC) is unconstitutional, a structural prerequisite for the EU-US Data Privacy Framework.

The ECJ has had a case pending since October 2025 that could lead to a possible Schrems III scenario.

Act now, and you stay in control. Wait, and you’ll scramble under pressure when a vendor pulls out or the rules change overnight.

Cloud sovereignty strategy: hybrid, sovereign, and multi-cloud models

Cloud strategy is the biggest lever you have: nearly everything else depends on it. The good news? You have far more sovereign options in 2026 than you did two years ago.

Sovereign cloud vs. public cloud: how to choose

AWS launched the European Sovereign Cloud in January 2026, with a first region live in Brandenburg and an €7.8 billion investment.

It’s structurally separate from global AWS: its own legal entity under German law, EU-resident staff only, its own IAM (Identity and Access Management), billing, and certificate authority.

The price for this isolation is real. According to ITPro’s analysis, the price premium runs around 15 percent, only about 90 services are currently available versus more than 240 in regular EU regions, and services like CloudFront, GPU instances, and most Bedrock models are still missing.

Microsoft is taking a similar approach with Microsoft Cloud for Sovereignty, through dedicated national partner clouds in Germany and France.

European providers have caught up too: OVHcloud, STACKIT, and Scaleway have reached the highest Gaia-X maturity level, SEAL-3, one of several Gaia-X levels that measure the digital resilience and operational security of cloud services.

STACKIT, IONOS Cloud, and Open Telekom Cloud are already running in production at banks and in regulated environments.

Schwarz Digits, the Schwarz Group’s digital arm behind STACKIT, now generates around €2.2 billion in annual revenue, up 15.8 percent year over year, and is building one of Europe’s largest data centers in Lübbenau, designed to host up to 100,000 GPUs.

Three criteria matter for this decision:

  • Data classification. Not every workload needs a sovereign cloud. Personal and business-critical data does; internal test environments usually don’t.
  • Service maturity. Sovereign providers have caught up, but check whether the services you actually need are available.
  • Cost premium vs. risk. A 15 percent price premium is often cheaper than the cost of a forced migration two years down the line.

Weigh these three criteria properly, and you’ll land on a setup you can still justify two years from now.

Multi-cloud and vendor exit strategy

A cloud strategy without an exit plan isn’t a strategy, it’s a risky bet.

Multi-cloud setups are already standard for 26 percent of all deployments, according to the CNCF’s 2025 survey, and hybrid cloud use has risen to 32 percent, up from 22 percent in 2021.

Kubernetes is part of the reason: 82 percent of container users now run it in production, up from 66 percent in 2023.

Kubernetes abstracts infrastructure enough so you can move workloads between providers without rebuilding the application from scratch.

A real exit strategy needs three building blocks: documented data export processes, containerized workloads , and an annual test to check whether the migration can actually work in practice.

Data governance and data localization steps

Without clean data management, any cloud strategy is just cosmetic. The data itself is the real asset, and that’s exactly where the biggest dependencies form.

Data localization and legal jurisdiction

Check, vendor by vendor and data category by data category, what actually lets you transfer that data.

With Schrems III looming over the Data Privacy Framework, don’t lean on a vendor’s DPF certification alone.

Keep Standard Contractual Clauses (SCCs) on hand for every US vendor handling personal data.

Call it insurance: the legal ground is shifting, and SCCs keep you covered no matter what happens to the DPF.

Data governance framework: roles and responsibilities

Data governance mainly fails when you’re missing accountability.

A working framework needs:

  • A data owner per data domain, who decides on access, classification, and retention.
  • A classification scheme that distinguishes public, internal, confidential, and regulated data.
  • Documented data flows, so it’s clear which system transfers which data where.
  • Regular audits that check whether practice still matches documentation.

This structure is the foundation for everything that follows, from cloud migration to AI use.

Without it, you won’t know where your data actually sits or who’s responsible for it.

Software architecture for vendor independence

Architecture decides how expensive a vendor switch gets. And it’s where I see the biggest gap between theory and practice in client projects

Open standards instead of proprietary interfaces

Proprietary APIs and data formats tie you to a vendor more tightly than most decision-makers realize at the start of a project.

Open standards like REST, GraphQL, OpenTelemetry, or common container formats keep components interchangeable.

The same applies to data formats.

If you accept proprietary export formats, you only notice the cost when your data has to move into a new system and the conversion takes months.

API abstraction layers and the anti-corruption layer pattern

One of the most effective single steps for software architecture is an anti-corruption layer, also called the adapter pattern: a translation layer that separates your core logic from vendor-specific APIs.

Even AWS documents this pattern in its own architecture guidance.

The effect: switching vendors becomes a manageable configuration change instead of a multi-year rebuild.

Your business logic talks to a stable internal interface, not directly to the cloud or SaaS vendor’s API.

Modular architecture instead of a monolith

A monolith can’t be migrated step by step, it has to move all at once.

Modular architectures, whether as microservices or clearly separated modules within a system, let you swap out individual components independently.

That reduces not just vendor lock-in risk but operational risk too: a bug or outage in one module doesn’t take down the whole system.

For legacy systems, we at DECODE often use the strangler fig pattern, where the old monolith gets replaced piece by piece with modular components, instead of a risky big-bang rewrite.

AI sovereignty: steps for controlled AI use

AI sovereignty is the newest, but fastest-growing part of digital sovereignty. What matters here isn’t just which model you use, but who controls the training data, the weights, and the governance.

On-premise and EU-hosted LLM alternatives

The European market for sovereign AI models, especially LLMs, has matured considerably in 2026.

Paris-based Mistral AI closed a Series C round of around €1.7 billion in September 2025, led by Dutch semiconductor equipment maker ASML, at a post-money valuation of around €11.7 billion, the largest funding round in Europe’s AI history to date.

The company deliberately bets on open model weights instead of a closed system.

But be careful about assuming a European label alone guarantees sovereignty.

Aleph Alpha, based in Heidelberg and one of the first signatories of the EU’s Code of Practice for AI, agreed to merge with Cohere in April 2026. The deal values the combined company at roughly $20 billion, with the Schwarz Group also putting $600 million into Cohere’s Series E round.

Sovereignty depends not just on location, but on ownership structure and governance too.

Check three things with every AI vendor:

  • Where requests and training data are actually processed, not just where headquarters is located.
  • Who owns the company, and whether that could change through an acquisition.
  • Whether there’s an on-premise or self-hosting option for sensitive workflows.

These three questions take only a few hours to check, but can save you months of work if things go wrong.

EU AI Act compliance and training data control

The EU AI Act is getting more concrete, not softer.

Starting August 2, 2026, the transparency obligations under Article 50 apply, covering things like labeling chatbot interactions and disclosing emotion recognition.

The AI Digital Omnibus, agreed in May 2026, does push back the high-risk obligations under Annex III to December 2027.

The sensible response isn’t to let that extra time go to waste.

Use the deadline now to inventory your AI systems, classify them by risk level, and build governance structures, instead of scrambling under pressure closer to the new deadline.

Digital sovereignty roadmap: prioritizing the right steps

Not every step deserves the same urgency. Without prioritization, you get stuck in endless debate instead of moving forward.

Quick wins: the first 3 months

These steps deliver results fast:

  • Run data classification for your three most critical systems.
  • Prepare SCCs as a fallback for every US vendor handling personal data.
  • Build a first anti-corruption layer for your most vendor-dependent core component.
  • Create an AI system inventory with risk classification under AI Act logic.

Complete these four points in the first three months, and you’ve laid the groundwork for the bigger investments that come next.

Long-term investments: the next 2 years

These measures need budget, time, and often outside expertise:

  • Migrating business-critical workflows to a sovereign or hybrid cloud
  • Gradually modularizing monolithic core systems
  • Building a complete data governance framework with defined roles and audits
  • Evaluating on-premise or EU-hosted LLM alternatives for sensitive use cases

This roadmap is just a starting point.

What matters is that quick wins prepare the ground for long-term investments instead of taking time away from them.

Common digital sovereignty mistakes to avoid

I see the same three pitfalls with clients again and again.

The first is all-or-nothing thinking: teams wait for the perfect sovereign solution instead of starting with the quick wins that show results immediately.

The second mistake is treating sovereignty as a purely IT topic. Data governance and AI governance need decisions from leadership and business, not just the IT department.

The third mistake is confusing a vendor’s location with actual control. The Aleph Alpha case shows that a European label isn’t a guarantee. Check ownership structure, contract terms, and technical portability, not just the country of origin.

Achieving digital sovereignty: FAQs

No.

Mid-sized companies are often more exposed, since they often lack a dedicated IT department managing a broad set of providers, and more often rely on a single platform.

No. Sovereignty means freedom of choice.

Many digitally sovereign companies will still use US hyperscalers, but they’ve deliberately prepared alternatives and exit strategies should they become necessary.

Often yes, in the short term, because multi-cloud strategies and modular architectures take extra effort.

In the medium term, costs usually fall, because you regain negotiating leverage with providers and avoid hidden migration costs.

Looking for a partner for digital sovereignty in software?

Many companies already understand why digital sovereignty matters. The harder part is making the architecture decisions and building the systems that actually deliver it.

At DECODE, we’ve built custom software, cloud infrastructure, and modular architectures since 2012, for companies where software runs the business.

Whether that’s an anti-corruption layer for an existing system, modularizing a monolith step by step, or evaluating sovereign cloud and AI options for your specific case, we bring the technical depth these decisions need.

From Düsseldorf, we work closely with German mid-market companies and enterprises, backed by clear communication and a team that understands what’s at stake.

Categories
Written by

Miki

Managing Director

Miki leads our German branch, DECODE Services GmbH. He was born in Croatia, grew up in Germany, and brings a unique blend of both cultures to his work. With 30+ years of experience in both hardware and software, Miki’s built everything from early Android apps to enterprise-grade IoT systems. He’s one of the original contributors to Android’s developer community and has spoken at - and helped organize - droidcon conferences across Europe. These days, he’s deep into AI and IoT, working closely with industry leaders and helping them build innovative solutions. When he’s not working, you’ll probably find him hiking, mountain biking, or cooking a delicious meal with his family.

Related articles